Chapter 6 Database Security Integrity for databases record
Chapter 6 – Database Security Integrity for databases: record integrity, data correctness, update integrity u Security for databases: access control, inference, and aggregation u Multilevel secure databases: partitioned, cryptographically sealed, filtered u
Introduction to Databases Database – collection of data and set of rules that organize the data by specifying certain relationships among the data u Database administrator (DBA) u Database management system (DBMS) – database manager, frontend u
Introduction to Databases Records – contain related group of data u Fields (elements) – elementary data items u Schema – logical structure of database u Subschema – view into database u
Introduction to Databases u Relational • Rows (relation); columns (attributes) • DB 2, Oracle, Access u Hierarchical • IMS u Object-oriented
Introduction to Databases u Queries • SELECT NAME = ‘ADAMS’ • SELECT (ZIP = ‘ 43210’) ^ (NAME = ‘ADAMS’) u Project • SHOW FIRST WHERE (ZIP = ‘ 43210’) ^ (NAME = ‘ADAMS’) u Join • SHOW NAME, AIRPORT WHERE NAME. ZIP = AIRPORT. ZIP
Advantages of Using Databases Shared access u Minimal redundancy u Data consistency u Data integrity u Controlled access u
Security Requirements Physical database integrity u Logical database integrity u Element integrity u Auditability u Access control u User authentication u Availability u
Integrity of the Database Users must be able to trust the accuracy of the data values u Updates are performed by authorized individuals u Integrity is the responsibility of the DBMS, the OS, and the computing system manager u Must be able to reconstruct the database at the point of a failure u
Element Integrity Correctness or accuracy of elements u Field checks u Access control u Maintain a change log – list every change made to the database u
Auditability & Access Control Desirable to generate an audit record of all access to the database (reads/writes) u Pass-through problem – accessing a record or element without transferring the data received to the user (no reads/writes) u Databases separated logically by user access privileges u
Other Security Requirements User Authentication u Confidentiality u Availability u
Reliability and Integrity Database integrity u Element accuracy u u Some protection from OS • File access • Data integrity checks
Two-Phase Update Failure of computing system in middle of modifying data u Intent Phase – gather resources needed for update; write commit flag to the database u Update Phase – make permanent changes u
Redundancy / Internal Consistency u Error detection / Correction codes (parity bits, Hamming codes, CRCs) u Shadow fields u Log of user accesses and changes
Concurrency/Consistency u u u Access by two users sharing the same database must be constrained (lock) Monitors –check entered values to ensure consistency with rest of DB Range Comparisons State Constraints – describes condition of database (unique employee #) Transition Constraints – conditions before changes are applied to DB
Sensitive Data that should not be made public u What if some but not all of the elements of a DB are sensitive u • Inherently sensitive • From a sensitive source • Declared sensitive • Part of a sensitive attribute or record • Sensitive in relation to previously disclosed information
Access Decisions Need an access policy (programmed into DBMS) u Availability – blocking; permanent blocking u Acceptability of Access (sensitive data) u Assurance of Authenticity u
Types of Disclosures u Exact Data u Bounds u Negative Results u Existence of Data u Probable Values
Security vs. Precision Aim to protect all sensitive data while revealing as much nonsensitive data as possible u Want to maintain perfect confidentiality with maximum precision u
Inference Way to infer / derive sensitive data from nonsensitive data u Direct Attack u • List NAME where SEX=M ^ DRUGS=1 • List NAME where (SEX=M ^ DRUGS=1) v (SEX#M ^ SEX#F) v (DORM=AYRES)
Indirect Attack u Sum • Show STUDENT-AID WHERE SEX=F ^ DORM=Grey u Count • Show Count, STUDENT-AID WHERE SEX=M ^ DORM=Holmes • List NAME where (SEX=M ^ DORM=Holmes) u u Median Tracker Attacks – using additional queries that produce small results
Controls Suppression – don’t provide sensitive data u Concealing – don’t provide actual values (“close to”) u Limited Response Suppression u • n-item k-percent rule eliminates low frequency elements from being displayed (may need to suppress additional rows/columns)
Controls u Combined Results • Sums • Ranges • Rounding Random Sample u Random Data Perturbation u Query Analysis – “should the result be provided” u
Conclusion on the Inference Problem u Suppress obviously sensitive information u Track what the user knows u Disguise the data
Aggregation Building sensitive results from less sensitive inputs u Data mining – process of sifting through multiple databases and correlating multiple data elements to find useful information u
Multilevel Databases u Differentiated Security • Security of single element may be different from security of other elements • Two levels – sensitive and nonsensitive are inadequate to represent some security situations • Security of an aggregate (sum, count, …) may be different from security of the individual elements u Granularity
Security Issues u Integrity • *-property for access control • Either process cleared at a high level cannot write to a lower level or process must be a “trusted process” u Confidentiality • Different users at different levels may get different query results • Polyinstantiation – record can appear more than once with different levels of confidentiality
Proposals for Multilevel Security u Separation • Partitioning – divide DB into separate DBs with own level of sensitivity • Encryption (time consuming) • Integrity Lock – each data item contains a sensitivity label and a checksum Sensitivity label must be unforgeable, unique, concealed u Checksum must be unique u Sensitivity lock u
Design of Multilevel Secure Databases Integrity Lock – not efficient (space/time) u Trusted Front-end (Guard) – does authentication and filtering u Commutative Filters – u • screen user’s requests, reformats, so that only appropriate data is returned
Design of Multilevel Secure Databases u Distributed (federated) database • Trusted front-end controls access to two DBMSs – one for high-sensitivity data and one for low-sensitivity data • Very complex u Window/View • Subset of a database containing exactly the information that the user is entitled to access
- Slides: 30